Listen 0.0.0.0:8080
ServerRoot "/httpdir"
PidFile "/httpdir/httpd.pid"
LoadModule authn_file_module modules/mod_authn_file.so
LoadModule authn_anon_module modules/mod_authn_anon.so
LoadModule authz_user_module modules/mod_authz_user.so
LoadModule authz_host_module modules/mod_authz_host.so
LoadModule include_module modules/mod_include.so
LoadModule log_config_module modules/mod_log_config.so
LoadModule env_module modules/mod_env.so
LoadModule ext_filter_module modules/mod_ext_filter.so
LoadModule expires_module modules/mod_expires.so
LoadModule headers_module modules/mod_headers.so
LoadModule mime_module modules/mod_mime.so
LoadModule status_module modules/mod_status.so
LoadModule negotiation_module modules/mod_negotiation.so
LoadModule dir_module modules/mod_dir.so
LoadModule alias_module modules/mod_alias.so
LoadModule rewrite_module modules/mod_rewrite.so
LoadModule version_module modules/mod_version.so
LoadModule wsgi_module modules/mod_wsgi_python3.so
LoadModule authn_core_module modules/mod_authn_core.so
LoadModule authz_core_module modules/mod_authz_core.so
LoadModule unixd_module modules/mod_unixd.so
LoadModule mpm_event_module modules/mod_mpm_event.so
LoadModule request_module modules/mod_request.so
LoadModule auth_gssapi_module modules/mod_auth_gssapi.so
LoadModule session_module modules/mod_session.so
LoadModule session_cookie_module modules/mod_session_cookie.so
LoadModule session_dbd_module modules/mod_session_dbd.so
LoadModule auth_form_module modules/mod_auth_form.so
LoadModule setenvif_module modules/mod_setenvif.so

StartServers  20
ServerLimit   100
MaxRequestsPerChild 2000
MaxRequestWorkers 100
TypesConfig /etc/mime.types
AddDefaultCharset UTF-8
CoreDumpDirectory /tmp

# Logging. Don't log OpenShift's probes
SetEnvIf Request_URI "^/healthz/" dontlog
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
CustomLog /httpdir/access.log combined env=!dontlog
ErrorLog /httpdir/error.log
LogLevel info

WSGISocketPrefix run/wsgi
WSGIPythonHome /opt/venv
WSGIDaemonProcess fasjson processes=4 threads=1 maximum-requests=500 \
  display-name=%{GROUP} socket-timeout=2147483647 \
  lang=C.UTF-8 locale=C.UTF-8 home=/httpdir
WSGIImportScript /etc/fasjson/wsgi.py \
  process-group=fasjson application-group=fasjson
WSGIScriptAlias / /etc/fasjson/wsgi.py
WSGIScriptReloading Off
WSGIRestrictStdout Off
WSGIRestrictSignal Off
#WSGIPythonOptimize 1  # This causes the ldap module to fail

<Location "/">
  WSGIProcessGroup fasjson
  WSGIApplicationGroup fasjson

  Require all granted
  ErrorDocument 401 /errors/401
  ErrorDocument 403 /errors/403
  ErrorDocument 404 /errors/404
  ErrorDocument 500 /errors/500
</Location>

<LocationMatch "^/v[0-9]+/">
  AuthType GSSAPI
  AuthName "Kerberos Login"
  GssapiUseSessions On
  Session On
  SessionCookieName ipa_session path=/;httponly;secure;
  SessionHeader IPASESSION
  GssapiSessionKey file:/httpdir/run/session.key

  GssapiCredStore keytab:/etc/keytabs/http
  GssapiCredStore client_keytab:/etc/keytabs/http
  GssapiCredStore ccache:FILE:/httpdir/httpd.ccache
  GssapiDelegCcacheDir /httpdir/run/ccaches
  GssapiDelegCcachePerms mode:0660
  GssapiUseS4U2Proxy on
  GssapiAllowedMech krb5

  Require valid-user

  Header always append X-Frame-Options DENY
  Header always append Content-Security-Policy "frame-ancestors 'none'"
  Header unset Set-Cookie
  Header unset ETag
  FileETag None
</LocationMatch>
